Analysis Overview
SHA256
b27372b955d8e6cf46a3d36826511468504f8d58b5f24720351bf85f123cfea5
Threat Level: Known bad
The file nursultan alpha.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Process spawned unexpected child process
DCRat payload
Downloads MZ/PE file
Executes dropped EXE
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-18 09:00
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 09:00
Reported
2024-07-18 09:03
Platform
win10-20240404-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| File created | C:\Windows\PLA\ebf1f9fa8afd6d | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| N/A | N/A | C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\rsod\f3b6ecef712a24 | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File created | C:\Program Files\Windows Defender\Offline\sihost.exe | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File created | C:\Program Files\Windows Defender\Offline\66fc9ff0ee96c2 | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PLA\cmd.exe | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File opened for modification | C:\Windows\PLA\cmd.exe | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File created | C:\Windows\PLA\ebf1f9fa8afd6d | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\es-ES\29c1c3cc0f7685 | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\AgentDriversavesrefmonitor\browserFontdll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe
"C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\cN02MCsoKlkD.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\file.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\AgentDriversavesrefmonitor\KXGsF5yeLPYE.bat" "
C:\AgentDriversavesrefmonitor\browserFontdll.exe
"C:\AgentDriversavesrefmonitor\browserFontdll.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PLA\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\rsod\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Offline\sihost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe
"C:\Windows\PolicyDefinitions\es-ES\unsecapp.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xdenisq5.beget.tech | udp |
| RU | 5.101.153.31:80 | xdenisq5.beget.tech | tcp |
| RU | 5.101.153.31:80 | xdenisq5.beget.tech | tcp |
| US | 8.8.8.8:53 | 31.153.101.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 5.101.153.31:80 | xdenisq5.beget.tech | tcp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\AgentDriversavesrefmonitor\cN02MCsoKlkD.vbe
| MD5 | a732935b7511a789de0a7fe84b991d42 |
| SHA1 | b99ae053d5df9684f12da7ad90e6e8a56c9d0b4e |
| SHA256 | b686a1c9ece16e8bf2e95a769128b30c047f14413dadddfc422f288dd6e8aa99 |
| SHA512 | e9b249a2419e5dbdd0e9cfd238f1f6e1559bdd1efc0264d52b4f4bb5fa10b128138a54d2060cecab4f62f815fafc952329a1e8377b756fd8178e4f41d87273d1 |
C:\AgentDriversavesrefmonitor\file.vbs
| MD5 | 677cc4360477c72cb0ce00406a949c61 |
| SHA1 | b679e8c3427f6c5fc47c8ac46cd0e56c9424de05 |
| SHA256 | f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b |
| SHA512 | 7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a |
C:\AgentDriversavesrefmonitor\KXGsF5yeLPYE.bat
| MD5 | fdee2979f8de0e9a4a11bfecb268b97a |
| SHA1 | 2cdf74132e975745894a81db47814ff38e43a71c |
| SHA256 | 9bf130c323cb7fee0ab32dfdd9e4065ede767babd5f763e96ebbe5f09f577028 |
| SHA512 | 281be0377447c63debf6d35b52a21c9b193ada7b9c153685cf99963d31dcff89070f167477be99f5fd959be1894bd59725023c1b1c1f5078fadecade14ca7557 |
C:\AgentDriversavesrefmonitor\browserFontdll.exe
| MD5 | 692f6967406106fc784223f04ec69b8c |
| SHA1 | e6e174a86f9df6041a00d38f2b39506456f60602 |
| SHA256 | 424468b014466c994112ec496e18fd5d7a693b28b411c0ca52229704cd2ef574 |
| SHA512 | 14f14d50e76c2c179cb3c2b1ea1861fe0776b8eb7cb5798b277a1bf7fca2cd11e79a3355d28c36130deb4a916e462e314b38b346f7069ca86d765826ff14408f |
memory/2572-19-0x00000000007A0000-0x0000000000978000-memory.dmp
memory/2572-20-0x0000000002BA0000-0x0000000002BF6000-memory.dmp
memory/2572-21-0x00000000029D0000-0x00000000029D8000-memory.dmp
memory/2572-22-0x00000000029E0000-0x00000000029E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat
| MD5 | 0f53b12e0a9936a2eae81863bcde8994 |
| SHA1 | 0e28cff0e08af514fd688cf33cadd0d3b73361e2 |
| SHA256 | 3616d7adfca2257eb39d813b298a365414423241a4374809c77bfe64a66584b8 |
| SHA512 | 14ac6d017f6bc061c2ad8839dfe3e93816829305fed7886e930c2b6626aa57d94b642e82a509bce8b701f070e01637a6fb4ac49b2dab3c19e5dec2e2eba4b0ee |
memory/1720-40-0x000000001BF20000-0x000000001BF76000-memory.dmp
memory/1720-41-0x0000000001400000-0x000000000141C000-memory.dmp
memory/1720-42-0x0000000001470000-0x00000000014C0000-memory.dmp